Single Sign-On
Single sign-on (SSO) allows users to use a single login across multiple enterprise applications. The Single Sign-On feature allows your team to sign in using your existing identity provider instead of an Invoiced username and password.
Setup
Now go to the Invoiced application:
- Go to Settings → Team → Single Sign-On. If you do not see the Single Sign-On tab then contact Invoiced Support to have this feature enabled.
- Turn on the SAML Enabled toggle.
- Enter in the email domain that your users will sign in with for the Allowed Email Domain field.
- Copy over the issuer URL into the Issuer (Identity Provider Entity ID) field.
- Copy over the sign in URL into the Sign In URL field.
- Copy the certificate from the identity provider and paste it into the Certificate field.
Within your identity provider follow these instructions:
- Create a new SAML 2.0 application in your identity provider for Invoiced.
- Copy the Assertion Consumer Service (ACS) URL value from the Setup Info section to the application ACS URL field in your identity provider.
- Copy the Service Provider Entity ID / Audience URI value from the Setup Info section to the application entity ID field in your identity provider.
- Set the NameID attribute to the user's email address.
Once the application has been configured on Invoiced and in the identity provider it should be possible for users to sign in using single sign-on.
Usage
Once SSO is properly configured, users can sign in to Invoiced from your Identity Provider using a feature known as Identity Provider-Initiated Sign In.
It is also possible to sign in using SSO from Invoiced if users go to the Start URL in the Setup Info section or if users click the Login with SSO button on the Invoiced login screen.
Limitations
When using Single Sign-On on Invoiced, it is important to know these limitations and features that are not supported.
- You can only use an email domain (eg. @example.com) with a single tenant.
- We do not currently support mandating that single sign-on is the only supported sign in mechanism. Users will still be able to sign in with username and password.
- Just-In-Time (JIT) user provisioning is not supported. New users must also be added to Settings → Team → Users.
- Single Log Out (SLO) is not supported.
- System for Cross-domain Identity Management (SCIM) is not supported.